blackmoon | be5111324bcafce07aa6964bcaaf38a6ba9b36a4b1b933e4c528ca27c66f9c19

General

Target

be5111324bcafce07aa6964bcaaf38a6ba9b36a4b1b933e4c528ca27c66f9c19.dll
Size

14KB
MD5

05af806443adadd7fc86b4118a630840
SHA1

05f10e42d0465219e36aaccb6db73c160628759c
SHA256

be5111324bcafce07aa6964bcaaf38a6ba9b36a4b1b933e4c528ca27c66f9c19
SHA512

f4d37924223c897320b402988b27088c5a220fe08aab95db197cea8e1c715b79c94914ab3376a804dc7ee202ffe0ff604a5638ffc3e7a115bd2d05e118634890
SSDEEP

384:p3fpa2vDcNsyySVu2zMZzv3+ODnU8RBsAVxgOsIRJXuGK:ba2wWyPU2a/ZbRBsAVqsbXu

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/1120-56-0x0000000010000000-0x0000000010013000-memory.dmp	family_blackmoon
behavioral1/memory/1120-57-0x0000000010000000-0x0000000010013000-memory.dmp	family_blackmoon
behavioral1/memory/1120-58-0x0000000010000000-0x0000000010013000-memory.dmp	family_blackmoon

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1120	rundll32.exe
6	1120	rundll32.exe
8	1120	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1120	884	rundll32.exe	27
PID 884 wrote to memory of 1120	884	rundll32.exe	27
PID 884 wrote to memory of 1120	884	rundll32.exe	27
PID 884 wrote to memory of 1120	884	rundll32.exe	27
PID 884 wrote to memory of 1120	884	rundll32.exe	27
PID 884 wrote to memory of 1120	884	rundll32.exe	27
PID 884 wrote to memory of 1120	884	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5111324bcafce07aa6964bcaaf38a6ba9b36a4b1b933e4c528ca27c66f9c19.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5111324bcafce07aa6964bcaaf38a6ba9b36a4b1b933e4c528ca27c66f9c19.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1120-56-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1120-57-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1120-58-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing